Lecture 3,4: Multiparty Computation

Size: px
Start display at page:

Download "Lecture 3,4: Multiparty Computation"

Transcription

1 CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol, which gives us an algorithm for securely evaluating any circuit C (x 1, x 2,..., x n ) where each party p i, i {1...n} has a part of the input x i. One issue with this protocol is that it may take a very large number of rounds, dependent on the depth of the circuit, because each gate must be evaluated in a topological order. Let s consider some ideas to fix this problem. Currying Let s consider one simple idea that doesn t work. If we have a circuit C (x 1, x 2,..., x n ), we can curry the inputs to get a new circuit, say C, that takes in only one input and itself outputs a circuit. Then the next circuit also takes one input and outputs a circuit, and so on, so that C (x 1 ) (x 2 ) (x 3 )... (x n ) = C (x 1...x n ). So Alice passes Bob a garbled version of C (x 1 ); Bob passes Carol a garbled version of C (x 1 ) (x 2 ); etc. However, this approach cannot possibly work. The reason is that Bob can just simulate Carol, David, etc. in his head, and thus compute C (x 1, x 2,..., x n ) for any values of x 3...x n that he might choose. Rounds independent of circuit depth Now let s consider an idea that will reduce the round complexity, from depending on circuit depth to independent of circuit depth. The GMW protocol evaluates a circuit C (x 1,...x n ) and takes a number of rounds proportional to the circuit depth of C. C may be very deep, but can we find some other, shallower circuit that we can feed into the GMW protocol, that nevertheless allows us to perform the desired computation? Indeed, we can. Instead of computing the value C (x 1,...x n ) itself, we will securely compute a garbled version of C; and each party will be able to use the garbled C to compute the desired value. Recall Yao s protocol. We defined a ppt algorithm, Garble, such that Garble (C, ω, x) for some randomness ω and input x gives us a garbled circuit C (syntactically, a set of encrypted bitstrings and a translation table). C, combined with the appropriate labels for x and some input y, can then be used to evaluate C (x, y). In particular, we can let y be empty. Then this gives a garbled circuit C that, when combined with the appropriate labels for x, produces C (x). Consider the algorithm D (, ) = Garble C (, ) which actually performs this garbling operation. It takes as input some randomness, and some concatenated inputs x 1, x 2,..., x n. Actually, let s say it takes in ω 1...ω n and computes ω = i ω i to use as its randomness (so that if any player is uncorrupted, the randomness will be truly random). It outputs a garbled circuit C and some labels - encryption keys for each input wire. Now, note that D can be parallelized - the encryptions for each gate can be computed completely independently of every other gate, so the circuit depth does not grow with the circuit depth of C. After all, what does D do? First it has to XOR all the randomness together - this takes circuit depth O (n) (or even O (log n)). Now its only job is to use 3,4-1

2 some encryption keys (which it reads off from the randomness) to encrypt some other encryption keys (ditto). Each key is encrypted twice, as before. So the circuit depth is O (log n), plus the circuit depth of two encryptions, and it is independent of C. Note that the encryption circuit may increase in depth with the security parameter. Let s review. We know how to use GMW to evaluate a circuit C, but it takes rounds proportional to the circuit depth C. Instead of C, we consider another circuit D. D has circuit depth independent of C (dependent only on the number of players and the security parameter). Each player generates randomness ω i, and we use the GMW protocol to securely compute D (ω 1, x 1,..., ω n, x n ), that is, C labels x1,...,x n. Each player now has access to the garbled circuit C as well as the appropriate input labels; and each player simply evaluates the garbled circuit using the input labels, thus computing the answer C (x 1,...x n ). Security follows easily. The GMW guarantees that each player learns nothing except the output, i.e. C plus the input labels. And, in turn, Yao s protocol guarantees that using C and the input labels, each player can learn nothing except the output. So each player learns nothing except the output, and we are done. Constant rounds: BMR protocol The above protocol still has round complexity dependent on the security parameter. We would like constant round complexity (assuming the number of players is constant). We will use the same idea as before: use GMW, but instead of computing the answer, compute a garbled circuit, which in turn may be used to compute the answer. The difference is in the encryption that the garbled circuit will use. Before, we used a generic encryption circuit, whose depth might grow with the security parameter. Now, we use a specific encryption scheme which we will define, and this will also require us to change our protocol in some ways. Recall the simple one-time pad PRG encryption scheme: Alice and Bob have a shared key k and a PRG G; and Alice simply sends a message m G (k), whereas Bob XORs the message with G (k) to recover it. We will use this as our encryption scheme. Now, we must be extremely careful about what computation we secure with the GMW protocol. Including any sort of complex computation, such as the computation of G (k), will increase circuit depth. So, we will take great pains to keep every possible computation out of GMW; the only thing that GMW will do is to securely combine keys for us by XOR-ing them together. The garbled circuit structure is similar to Yao s construction. We have a circuit with some gates and wires. Each wire has four keys: two 0-keys and two 1-keys, which we call p 0, q 0, p 1, q 1 respectively. Each gate has four encryptions, one for each possible output. Suppose we have a gate with input wire α with value 1, and input wire β with value 0, and output wire γ (which happens to be an AND gate, so it has value 1 0 = 0). Then we XOR one of α s 1-keys, one of β s 0-keys, and one of the encryptions. Whether we will use p or q depends on the encryption; we will use pp, pq, qp, qq once each. The reason we have two 0-keys (p and q) instead of just one, as in Yao s construction, is because we are using the XOR operation, and reusing keys would allow an attacker to discover correlations between the encrypted messages. This gives us the 0-keys for the output wire γ (actually it gives us a seed key, which we can use to generate the appropriate keys). Now, let s describe the protocol. 1. First, each player samples two keys and a blind bit for each wire (either by just sampling 3,4-2

3 them randomly, or by sampling a κ-bit string s and using it as the seed of a PRF). This gives (k0 ω (i), kω 1 (i), λω i ). The seed key for a wire ω with bit b is the concatenation of each player s keys, key ω b = kb ω (1)... kω b (n), and the blind bit for a wire ω is the XOR of each player s blind bits, λ ω = λ ω 1... λω n. The blind bit is necessary because each player will eventually learn the correct computation on the garbled circuit, which includes knowing which of her keys was used on each wire. If she knows how her keys correspond with 0 and 1, then she could figure out the value of each wire. The blind bit will be used to randomize the relationship, so that this does not happen. 2. Each player actually generates keys. Specifically, it uses the PRG to generate p ω b (i), qω b (i) = G (kb ω (i)), the two keys for bit b on wire ω. Each key is length nκ for a total of 2nκ bits. 3. The players run a GMW protocol to compute four encryptions for each gate. As with the previous construction, each gate can be parallelized. Considering a gate g with input wires α, β and output γ, each player feeds the values (p α b (i), qα b (i)), ( p β b (i), qβ b (i) ); λ α i, λβ i, λγ i ; k γ b (i) into the protocol. That is, she feeds in the 0- and 1-keys for the input wires, all the blind bits, and her keys for the output wire. The protocol then computes p α λ α x (i) p β λ β y (i) keyγ g(x,y) λ for x, y = 0, 0; then the same with p, q for x, y = 0, 1, then with q, p for γ x, y = 1, 0, and finally with q, q for x, y = 1, 1. That is, for each possible value on the input wires, it computes the XOR of the appropriate keys with the output wire s key corresponding to the correct output value, all with the appropriate blinding. How is such a computation carried out? Given specific values of α, β, γ, x, y, the circuit can compute this value by simply performing O (n) XOR operations on the blind bits, keys, and the values k γ b (i). Thus it can be carried out with constant circuit depth and the GMW protocol can be carried out in a constant number of rounds. 4. Each player broadcasts λ ω i, kω b (i) for everyone else s input wires. Now, if we consider (say) a wire ω that corresponds to player 1 s (Alice s) input, she has been sent λ ω i for all i 2...n. In addition, she knows λ ω 1 because she generated it. So she knows the value of λω 1. On the other hand, player 2 does not know this value, because she does not know the value of λ ω 1 ; Alice did not send it to her. 5. Now each player knows the blind bits for her input wires alone. Since she also knows the actual value of her input, she knows which key should be used in the computation. Thus, she broadcasts the keys for her own input wires. Specifically, if the j-th bit of player i s input goes on wire ω, she broadcasts k ω (x i [j]) λ ω. This concludes the protocol. Lecture 4: IT-Secure Multiparty Computation We have now seen protocols for secure multiparty computation. However, these protocols relied on computational hardness assumptions. In fact, we can construct protocols that are informationtheoretically secure, even against unbounded adversaries. The drawback of this approach is that we will not be able to guarantee security if almost all parties are corrupted by the adversary. We will be able to guarantee security only if at most some constant fraction is corrupted. 3,4-3

4 One protocol, the CCD protocol, accomplishes this task, but we will not be looking at it as it only guarantees statistical security. Instead, we look at the BGW protocol, which guarantees perfect security against t adversaries. In the semi-honest case, it can protect against t adversaries as long as t < n 2 ; in the malicious case, as long as t < n 3. A result by Rabin and Ben-Or also provides a construction against t < n 2 malicious corruptions, assuming the presence of a broadcast channel, and providing statistical security. The basic idea that we will use is secret sharing. A secret sharing scheme works as follows. A dealer has a bit b, and she wants to give shares a 1...a n to players p 1...p n such that the players can recover b as long as they all come together and share their values of a i. This is an n-out-of-n scheme, since all n players need to cooperate; we can also define t-out-of-n schemes, in which only t players need to cooperate. Note that we used this same idea in GMW. GMW had three stages: 1. Secret sharing: each party acts as a dealer and secret-shares a bit b for each of its input wires, by dealing out bits a i such that i a i = b. 2. Computation: For each gate, the parties securely combined their shares for the input wires to produce shares for the output wire. 3. Reconstruction: All parties revealed their shares for the output wire to recover the desired result. In the BGW protocol, we will use a t-out-of-n secret-sharing scheme, called Shamir s Secret Sharing. The scheme works as follows. Consider a field F (e.g. the integers modulo a prime) with F > n, and n distinct nonzero values α 1, α 2,..., α n F. Sample a random polynomial p (x) of degree t such that p (0) = s, the secret to be shared. Now given t + 1 points of the polynomial, we can uniquely determine the polynomial and evaluate it at 0 to recover the secret (this is covered in e.g. CS70). Given t points of the polynomial, every value of the secret is equally likely and thus we gain zero information about it. Now that we ve decided on how to share secrets, let s consider the computation phase. We have a function to evaluate, which can be expressed as a circuit composed of addition and multiplication gates (over the field). We ll consider a gate, with two inputs, p (0) and q (0), encoded in two randomy polynomials p and q with shares α i, β i split among the n players. Suppose this gate is an addition gate. Then, we want to compute the shares of a third polynomial, r, such that r (0) = p (0) + q (0), and r is a random polynomial among all degree-t polynomials with this property. This is simple: our output polynomial is p + q with (p + q) (0) = p (0) + q (0), and each player computes her new output share as γ i = α i + β i. p + q is clearly a random polynomial (being the sum of two random polynomials) and has the desired evaluation at 0. Similarly, if this gate is a constant-multiplication gate (i.e. we want to multiply the polynomial by a fixed constant c), evaluation is also easy; everyone multiplies their share by c. How about multiplication of p (0) and q (0)? At first, this may seem easy: pq is a new polynomial that indeed satisfies (pq) (0) = p (0) q (0), so perhaps each player can just multiply their two shares. However, this doesn t work, for two reasons. First of all, the product of two random polynomials is not necessarily itself random (the distribution may be nonuniform). Secondly, the resulting polynomial will be of degree 2t, not degree t. We can fix both of these problems. First, each player i multiplies her two shares, f a (α i ) and f b (α i ), together. Now the players have shares corresponding to the polynomial pq (note that here is where 3,4-4

5 we use the assumption that 2t < n; if not, then the players do not have enough points to uniquely determine pq, and the information is lost). Now, let s fix the randomization problem through a process called rerandomization. This is easy: we can just add a random polynomial r of degree 2t, such that r (0) = 0. Any polynomial plus a random polynomial is a random polynomial, so this fixes our problem, and does not change the encoded secret. In order to add this polynomial, one party will be the dealer: she will pick the polynomial at random, generate the shares, and give them to all parties, who will then add the assigned shares to their shares. And since no one party can be trusted to be the dealer, we have every party deal in turn, in total adding n polynomials to our original polynomial. This produces a new polynomial which we will call h (x). How will we fix the degree problem? We will devise a procedure to truncate our polynomial h (x). Clearly, if we have a random polynomial of degree 2t, chopping off the highest t coefficients gives us a polynomial of degree t that is also random. All parties collectively hold shares h (α 1 )...h (α n ) of h (x), and they want to compute ĥ (α 1)...ĥ (α n) of ĥ (x) = truncate t (h (x)). This ĥ (α 1 ) h (α 1 ) can be described as a matrix operation:... = V α P T Vα V α is the matrix that ĥ (α n ) h (α n ) evaluates a degree-n polynomial, with its coefficients listed in a vector, at points α 1...α n. That is, 1 α 1... α n 1 1 V α = (verify in your head that this corresponds to polynomial evaluation). 1 α n... α n 1 n is the inverse of V α, so it converts a polynomial from point-value represen- is the truncation matrix: it is an n-by-n matrix with a t + 1-by-t + 1 identity matrix in the top left corner, and the rest all zeroes. So, we have h in point-value form; we multiply it by Vα 1 to get the coefficient form; we multiply it by P T to chop off all but the lowest t + 1 coefficients, reducing the degree; and then we multiply it by V α to put it back in coefficient representation. This produces the shares of ĥ (x) that we want. However, how do we actually perform this computation, without sharing information and thus leaking the answer? Observe that we expressed the computation as a matrix multiplication. This means that the computation is necessarily linear; that is, we can express it as ĥ (α i) = c i1 h (α 1 ) + c i2 h (α 2 ) c in h (α n ) for some known constants c ij. Then how do we compute this? Well, this computation consists solely of addition and constant-multiplication operations, which we already know how to do! So, whenever we need to do a multiplication operation, we need to do degree reduction, and we can bootstrap it by running a subprotocol that requires only additions/constant multiplications. Note that at the end of this subprotocol, players do not reveal their shares publicly; they only send their shares to the player that requires them (i.e. player i requires the shares for Correspondingly, Vα 1 tation to coefficient representation. Finally, P T ĥ (α i )). Now that we know how to perform addition and multiplication, we can carry out the evaluation of the circuit, and this completes the protocol. Malicious IT-Secure Multiparty Computation Now let s try to extend this scheme to the malicious setting. When players can act maliciously, they have many ways to break the protocol. In the computation stage, they can do all sorts of crazy things: send random garbage, send a nonzero polynomial in the rerandomization phase, etc. In the input stage, they could generate a polynomial that is of degree > t, so that different sets of 3,4-5

6 players see a different polynomial. In the reconstruction stage, they could send incorrect shares. First, let s think about how to solve the issue of sending incorrect shares in the reveal stage. Let s assume that up to this point, everyone has acted honestly. So we now have a polynomial of degree t, and we have n > 3t evaluations of it at various points, one per player. Everyone reveals their evaluation, but the resulting points may not be consistent with any degree-t polynomial. How do we fix this? The answer is simple: we use a Reed-Solomon code, which is an (n, t + 1, n t) code (n symbols, t + 1 data symbols, n t minimum distance between codewords) that corrects n t 1 2 errors. When t < n 3, this can correct t errors. For example, if t = 1 and n = 4, so that all of the points lie along a straight line, then I can look at four points and find the line that passes through them, ignoring one point that was corrupted and doesn t lie on the line. In general, the Berlekamp-Welch algorithm can be used to reconstruct the original polynomial. Secondly, let s think about how to solve the issue of the input. We ll use something called verifiable secret sharing. It works as follows: 1. The dealer D, wishing to distribute a secret s, samples a random polynomial q (x) of degree t such that q (0) = s. 2. The dealer samples a random bivariate polynomial s (x, y) of degree t (i.e. with coefficients c tt x t y t c 50 x ) such that s (0, z) = q (z). 3. The dealer sends f i (x) = s (x, α i ) and g i (y) = s (α i, y) to player i. 4. Each pair of players i, j checks that f i (α j ) = g j (α i ). If this is not the case, they complain to the dealer. Why does this work? Let s think about an intuitive argument first. Let s say the dealer is honest, but a few players are dishonest. When players i, j are communicating, j might give some incorrect value of g j (α i ). If this happens, i will complain to the dealer, reporting the value that she received. The dealer will then be able to recognize that player j is malicious, and can reveal player j s shares publicly. On the other hand, if the dealer is dishonest and gives players incorrect polynomials, this will trigger a much larger number of complaints among players; the players can then recognize that these complaints could not have arisen from malicious players alone, and conclude that the dealer is dishonest. Now, let s start working towards a proof. One basic thing we should check is that if all the players are honest, and all of the checks in step 4 pass, then there really is a unique polynomial s (x, y) consistent with all players shares. That is, a dishonest dealer cannot trick a group of honest players without being detected. Let K be the full set of all honest parties. The basic idea is that if we consider a set L of any t + 1 parties, their shares fix a specific s (x, y). Now, if their values of f are consistent with the other players values of g, this will imply that s (α k, y) = g k (y) for all k K (by definition). Similarly, we must have s (x, α i ) = f i (x) for all i K \ L. This ensures that all parties shares are consistent with s. We will go through the full proof in the next lecture. 3,4-6

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party

More information

Secure Computation. Unconditionally Secure Multi- Party Computation

Secure Computation. Unconditionally Secure Multi- Party Computation Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,

More information

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation

More information

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011 Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant

More information

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits

More information

Lecture 14: Secure Multiparty Computation

Lecture 14: Secure Multiparty Computation 600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine

More information

Introduction to Cryptography Lecture 13

Introduction to Cryptography Lecture 13 Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme

More information

Multiparty Computation (MPC) Arpita Patra

Multiparty Computation (MPC) Arpita Patra Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability

More information

Efficient General-Adversary Multi-Party Computation

Efficient General-Adversary Multi-Party Computation Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

More information

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked

More information

Introduction to Modern Cryptography Lecture 11

Introduction to Modern Cryptography Lecture 11 Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir

More information

Round-Efficient Multi-party Computation with a Dishonest Majority

Round-Efficient Multi-party Computation with a Dishonest Majority Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party

More information

Multiparty Computation

Multiparty Computation Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:

More information

Yuval Ishai Technion

Yuval Ishai Technion Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency

More information

Perfectly-Secure Multiplication for any t < n/3

Perfectly-Secure Multiplication for any t < n/3 Perfectly-Secure Multiplication for any t < n/3 Gilad Asharov 1, Yehuda Lindell 1, and Tal Rabin 2 1 Bar-Ilan University asharog@cs.biu.ac.il, lindell@biu.ac.il 2 IBM T.J. Watson Research talr@us.ibm.com

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18

More information

2 Message authentication codes (MACs)

2 Message authentication codes (MACs) CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from

More information

Lecture 10 - MAC s continued, hash & MAC

Lecture 10 - MAC s continued, hash & MAC Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy

More information

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions

More information

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer

More information

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time

More information

6.080/6.089 GITCS Apr 15, Lecture 17

6.080/6.089 GITCS Apr 15, Lecture 17 6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before

More information

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics 0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic

More information

Fundamental MPC Protocols

Fundamental MPC Protocols 3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are

More information

Lecture Notes, Week 10

Lecture Notes, Week 10 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive

More information

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014

More information

Number theory (Chapter 4)

Number theory (Chapter 4) EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?

More information

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 3: Interactive Proofs and Zero-Knowledge CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic

More information

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw

More information

From Secure MPC to Efficient Zero-Knowledge

From Secure MPC to Efficient Zero-Knowledge From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time

More information

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ

Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely

More information

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11. Error Correcting Codes Erasure Errors

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11. Error Correcting Codes Erasure Errors CS 70 Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11 Error Correcting Codes Erasure Errors We will consider two situations in which we wish to transmit information on an unreliable channel.

More information

Winter 2011 Josh Benaloh Brian LaMacchia

Winter 2011 Josh Benaloh Brian LaMacchia Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial

More information

Multi-Party Computation with Conversion of Secret Sharing

Multi-Party Computation with Conversion of Secret Sharing Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution

More information

Lecture 38: Secure Multi-party Computation MPC

Lecture 38: Secure Multi-party Computation MPC Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

An Unconditionally Secure Protocol for Multi-Party Set Intersection

An Unconditionally Secure Protocol for Multi-Party Set Intersection An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,

More information

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4 CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between

More information

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index

More information

Unconditionally Secure Multiparty Set Intersection Re-Visited

Unconditionally Secure Multiparty Set Intersection Re-Visited Unconditionally Secure Multiparty Set Intersection Re-Visited Arpita Patra 1, Ashish Choudhary 1, and C. Pandu Rangan 1 Dept of Computer Science and Engineering IIT Madras, Chennai India 600036 arpita@cse.iitm.ernet.in,

More information

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Solutions for week 1, Cryptography Course - TDA 352/DIT 250 Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.

More information

8 Elliptic Curve Cryptography

8 Elliptic Curve Cryptography 8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given

More information

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2 Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number

More information

Lecture 18: Zero-Knowledge Proofs

Lecture 18: Zero-Knowledge Proofs COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be

More information

RSA RSA public key cryptosystem

RSA RSA public key cryptosystem RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.

More information

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups

More information

1 Indistinguishability for multiple encryptions

1 Indistinguishability for multiple encryptions CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message

More information

1 Secure two-party computation

1 Secure two-party computation CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols

More information

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries Fast Large-Scale Honest-Majority MPC for Malicious Adversaries Koji Chida 1, Daniel Genkin 2, Koki Hamada 1, Dai Ikarashi 1, Ryo Kikuchi 1, Yehuda Lindell 3, and Ariel Nof 3 1 NTT Secure Platform Laboratories,

More information

Theory of Computation Chapter 12: Cryptography

Theory of Computation Chapter 12: Cryptography Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption

More information

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover

More information

Realistic Failures in Secure Multi-Party Computation

Realistic Failures in Secure Multi-Party Computation Realistic Failures in Secure Multi-Party Computation Vassilis Zikas 1, Sarah Hauser 2, and Ueli Maurer 1 Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland 1 {vzikas,maurer}@inf.ethz.ch,

More information

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect

More information

Lecture 22: RSA Encryption. RSA Encryption

Lecture 22: RSA Encryption. RSA Encryption Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers

More information

Multiparty Computation, an Introduction

Multiparty Computation, an Introduction Multiparty Computation, an Introduction Ronald Cramer and Ivan Damgård Lecture Notes, 2004 1 introduction These lecture notes introduce the notion of secure multiparty computation. We introduce some concepts

More information

Oblivious Evaluation of Multivariate Polynomials. and Applications

Oblivious Evaluation of Multivariate Polynomials. and Applications The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements

More information

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER

More information

Notes 10: Public-key cryptography

Notes 10: Public-key cryptography MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such

More information

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution CS 70 Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution 1. Polynomial intersections Find (and prove) an upper-bound on the number of times two distinct degree

More information

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139 Quantum Error Correcting Codes and Quantum Cryptography Peter Shor M.I.T. Cambridge, MA 02139 1 We start out with two processes which are fundamentally quantum: superdense coding and teleportation. Superdense

More information

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7 EECS 70 Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7 Polynomials Polynomials constitute a rich class of functions which are both easy to describe and widely applicable in topics

More information

Secret sharing schemes

Secret sharing schemes Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret

More information

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting

More information

Secure Multiplication of Shared Secrets In The Exponent

Secure Multiplication of Shared Secrets In The Exponent Secure Multiplication of Shared Secrets In The Exponent Rosario Gennaro Mario Di Raimondo May 26, 2003 Abstract We present a new protocol for the following task. Given tow secrets a, b shared among n players,

More information

Computing on Encrypted Data

Computing on Encrypted Data Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party

More information

Lecture 9 - Symmetric Encryption

Lecture 9 - Symmetric Encryption 0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,

More information

Lecture 1: Introduction to Public key cryptography

Lecture 1: Introduction to Public key cryptography Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means

More information

Entanglement and information

Entanglement and information Ph95a lecture notes for 0/29/0 Entanglement and information Lately we ve spent a lot of time examining properties of entangled states such as ab è 2 0 a b è Ý a 0 b è. We have learned that they exhibit

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from

More information

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il

More information

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You: CS70 Discrete Mathematics and Probability Theory, Fall 2018 Midterm 2 8:00-10:00pm, 31 October Your First Name: SIGN Your Name: Your Last Name: Your SID Number: Your Exam Room: Name of Person Sitting on

More information

Lecture 15: Interactive Proofs

Lecture 15: Interactive Proofs COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction

More information

Secret Sharing Schemes

Secret Sharing Schemes Secret Sharing Schemes 1.1 Introduction 1 1 Handling secret has been an issue of prominence from the time human beings started to live together. Important things and messages have been always there to

More information

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007 G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret

More information

Lecture 5, CPA Secure Encryption from PRFs

Lecture 5, CPA Secure Encryption from PRFs CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and

More information

Lecture Notes, Week 6

Lecture Notes, Week 6 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several

More information

Notes on Zero Knowledge

Notes on Zero Knowledge U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 6

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 6 CS 70 Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 6 Error Correcting Codes We will consider two situations in which we wish to transmit information on an unreliable channel. The

More information

Public-Key Cryptosystems CHAPTER 4

Public-Key Cryptosystems CHAPTER 4 Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:

More information

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input

More information

Lecture 15 and 16: BCH Codes: Error Correction

Lecture 15 and 16: BCH Codes: Error Correction CS681 Computational Number Theory Lecture 15 and 16: BCH Codes: Error Correction Instructor: Piyush P Kurur Scribe: Ramprasad Saptharishi Overview In these two lectures, we shall see how error correction

More information

Cryptography. P. Danziger. Transmit...Bob...

Cryptography. P. Danziger. Transmit...Bob... 10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of

More information

Distributed Oblivious RAM for Secure Two-Party Computation

Distributed Oblivious RAM for Secure Two-Party Computation Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires

More information

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004 CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed

More information

A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol

A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau

More information

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations

More information

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

CSA E0 312: Secure Computation September 09, [Lecture 9-10] CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability

More information

14 Diffie-Hellman Key Agreement

14 Diffie-Hellman Key Agreement 14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n

More information

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3. COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption

More information

Robustness for Free in Unconditional Multi-Party Computation

Robustness for Free in Unconditional Multi-Party Computation Robustness for Free in Unconditional Multi-Party Computation Martin Hirt and Ueli Maurer ETH Zurich Department of Computer Science {hirt,maurer}@inf.ethz.ch Abstract. We present a very efficient multi-party

More information

On the Round Complexity of Covert Computation

On the Round Complexity of Covert Computation On the Round Complexity of Covert Computation Vipul Goyal Microsoft Research, India vipul@microsoft.com Abhishek Jain UCLA abhishek@cs.ucla.edu Abstract In STOC 05, von Ahn, Hopper and Langford introduced

More information